Home > Computer forensics > EnCase Workflow Guidelines

EnCase Workflow Guidelines

In several Guidance classes, I’ve heard fellow students ask “Can you suggest a standard workflow for using EnCase?” The exact workflow will vary from case to case, but I’ve put together one possible workflow with some help from other contributors to the Forensic Focus forum. Please bear in mind that this is a guideline, a suggestion, just one possible way to work through a case using EnCase. You should clearly understand what each of these steps entails and adjust the workflow to suit your style, your written processes, and the case you are working on.

  1. Create case – Ensure that you have all relevant information – custodians, clients, case name, etc.
  2. Change storage paths as appropriate. I set everything to go to a volume or folder dedicated to the case.
  3. Save All.
  4. Add evidence – E01, LEFs, loose files, etc. Each time you add evidence, you should consider rerunning several of the following steps.
  5. Confirm disk geometry, sector count, partitions. You’re checking to see if everything is accounted for. There may be hidden partitions, for example.
  6. Run Partition Finder if indicated
  7. Run Recover Deleted Folders
  8. Search case – hash and signature analysis. You will probably repeat this each time you add new evidence.
  9. Run File Mounter – recursive, not persistent, create LEF, add LEF to case.
  10. Run Case Processor -> File Finder. Export results, add back in as LEF.
  11. Search case – hash and signature analysis.
  12. Search for encrypted or protected files. Address as appropriate.
  13. Extract registry hives. This can happen at any point really and they’ll be fed to RegRipper.
  14. Index case.

Depending on the case:

  1. Analyze LNK files and INFO2 records
  2. Extract browser history and carve browser history from unallocated
  3. Parse the event logs into a CSV format.

Other tasks performed outside of EnCase:

  1. Mount image and scan for viruses. Use several different products and never assume that they’re 100% accurate.
  2. Mount image and run triage tool(s) against it
  3. Run image in LiveView or VFC to see system as user experienced it
  4. Run RegRipper and RipXP against registry hives
  5. Run MFT Ripper against an extracted MFT
  6. etc, etc, etc
Categories: Computer forensics
  1. Jack
    December 21, 2009 at 1:33 am

    This kind of perspective is very beneficial, just wanted to say thanks.

  2. December 23, 2009 at 11:35 am

    As we also learn in class never publish/document your forensic “process”. It could be used against you in court such as “Why didn’t you follow step #X when examining my client’s computer?” Oh, you forgot a step? What else did you forget?

    • December 23, 2009 at 3:45 pm

      A couple of things to consider:

      1) There is a difference between guidelines and processes. Guidelines are a suggested, rather than required, approach. Write up your processes as guidelines and allow for some latitude. (You’ll note that I said “guidelines” and “exact process will vary from case to case.” in my article.)
      2) If you deviate from your guidelines, or process, document why you did so. Hashes don’t always match but, if you can explain why they differ and why your analysis is still valid, you should carry the day. The same holds true for documented processes.
      3) If you don’t document your processes, how do you teach new staff? How do you ensure that your team conducts investigations in a similar manner? How do remind yourself to do everything on a process that you use infrequently and isn’t committed to memory?
      4) There are some things you really should do in a particular order. For example, if you run File Mounter, add the resulting LEF back to the case, and don’t do a search to recalculate the hashes and signatures then any efforts to use hash and signature values will fail on the files in the LEF in the future.

    • January 23, 2010 at 12:39 pm

      In which class were you taught never to publish/document your process?

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: